Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to RDP or Ping to Remote Site

Hi

We have two ASA'S. One on Site A (asa 5510) and one on Site B (ASA 5505).

I have a VPN Site to Site tunnel connecting both sites which is working away fine. Users on the remote site can access servers here on Site A.

My problem is that from Site A I am unable to ping any PC's on Site B or RDP to them. It is essential for our IT Helpdesk to be able to RDP to these machines.

Our internal network on Site A has a 10.255.0.0 255.255.0.0 range. And the remote network has a 192.168.1.0 255.255.255.0 range.

I will upload both configs and maybe someone can shed some light as to why I cant ping or RDP to the remote machines.

Thanks

11 REPLIES
Super Bronze

Re: Unable to RDP or Ping to Remote Site

On site B, please remove the following line:

nat (outside) 0 access-list outside_nat0_outbound

And perform "clear xlate" after removing the above.

On site B, please also add the following:

policy-map global_policy
class inspection_default

     inspect icmp

Hope that helps.

New Member

Re: Unable to RDP or Ping to Remote Site

When I say

no nat (outside) 0 access-list outside_nat0_outbound I get the following error

ERROR: access-list outside_nat0_outbound not bound nat 0

Any ideas?

Super Bronze

Re: Unable to RDP or Ping to Remote Site

Strange, because that statement is in your configuration on site B.

What does the output "sh run nat" show you?

If it's not showing that particular line, try "clear xlate" and see if you can RDP or ping to site B.

You might also want to check if "windows firewall" or other PC's firewall is turned on because sometimes they block incoming ping/connection.

Are you able to ping 192.168.1.1 from site A?

New Member

Re: Unable to RDP or Ping to Remote Site

This is what I have when I run sh nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

Actually when I ping 192.168.1.1 I do get replies, I hadn't tried that until now.

If I try to ping a PC called sph-comp-164 IP 192.168.1.21 ono Site B I get Request Timed Out.

All PC's on that end have firewalls disabled.

Thanks!

Super Bronze

Re: Unable to RDP or Ping to Remote Site

Have you added this on site B:

policy-map global_policy
   class inspection_default

      inspect icmp

New Member

Re: Unable to RDP or Ping to Remote Site

On Site B I can enter the first two lines but the third throws up the following error. Am I doing something wrong?

Super Bronze

Re: Unable to RDP or Ping to Remote Site

If you are on ASDM, please enable it through the following:

Configuration --> Firewall --> Service Policy Rules --> highlight and edit the "inspection_default" rule --> go to "Rule Actions" tab --> enable "ICMP" --> OK --> Apply

New Member

Re: Unable to RDP or Ping to Remote Site

Okay I did that, still unable to ping 192.168.1.21

Here is what I can see through the logs. 10.255.251.82 is my PC. Not sure why the 62.77.180.162 address is appearing there.

Super Bronze

Re: Unable to RDP or Ping to Remote Site

What ip address does 62.77.180.162 belong to?

Does 192.168.1.21 actually respond to ping?

If you go to command line, and run "debug icmp trace" and ping, what are you seeing?

Also can you pls run "sh run all sysopt" and share the output.

New Member

Re: Unable to RDP or Ping to Remote Site

That IP Address belongs to an external email hosting company that we use and they come through the ASA on site A. I blanked that out of Site A's config. Just not sure why it is appearing on SITE B's ASA.

When I ping 192.168.1.21 I simply get request timed out.

Here is the result from sysopt.

Unfort the ASDM wont allow me run debug commands from it.

Super Bronze

Re: Unable to RDP or Ping to Remote Site

As far as configuration on site B is concern, it seems to be correct.

You might want to try pinging other ip addresses in the 192.168.1.x subnet. If you can ping the ASA inside interface 192.168.1.1 that means the crypto configuration is correct and the ping actually does come from site A towards site B.

Seems to be something local to your LAN subnet.

If you have a switch with SVI on the 192.168.1.x subnet, try to ping that and see if it works. Normally network device like switch or router replies to ping if no access-list is blocking it.

1020
Views
0
Helpful
11
Replies